DCV Introduction

Domain Control Validation (DCV) is Horizon’s mechanism for automatically proving that an organization controls its DNS domains before certificates can be issued. Without a valid DCV, a Certificate Authority will refuse to issue a certificate for a domain.

Horizon automates the full DCV lifecycle: it periodically checks which domains are approaching expiration, fetches validation challenges from the CA, publishes those challenges to DNS infrastructure, and triggers the CA to confirm domain control, all without manual intervention.

The following three objects must be configured to enable DCV automation:

  • DCV Providers: Define the connection to the Certificate Authority. A Provider holds the credentials and endpoint needed to retrieve domain validation status, fetch challenge tokens, and request CA verification of published challenges.

  • DCV Provisioners: Define the connection to the DNS infrastructure. A Provisioner receives challenge tokens from the Provider and writes them to the appropriate DNS zone so the CA can look them up.

  • DCV Policies: Tie a Provider and a Provisioner together with automation rules. A Policy defines which domains to validate, when to run, and how to handle retries and timeouts. It is the only object that is actively executed.

A single Provider or Provisioner can be reused across multiple Policies.

Limitations

  • Horizon only supports TXT and CNAME DNS record types for DCV challenges. This is determined by the CA, the Provider fetches the challenge type from the CA and the Provisioner publishes the corresponding record. No other DCV challenge type should be selected or configured.

Validation Flow

When a Policy runs (on schedule or triggered manually):

  1. Horizon queries the Provider for all known domains, then filters those expiring within the renewal window and matching the optional domain filter.

  2. For each selected domain, Horizon asks the Provider for a validation challenge token.

  3. The token is sent to the Provisioner, which publishes it to DNS.

  4. Horizon asks the Provider to verify the challenge. The CA looks up the DNS record and confirms domain control.

  5. If any step fails, Horizon retries from the failing step after the configured retry delay, not from the beginning.

  6. When all domains reach a final state, the policy run completes and its lifecycle triggers fire.